You are the organization and billing administrator for your company. The engineering team has the Project Creator role on the organization. You do not want the engineering team to be able to link projects to the billing account. Only the finance team should be able to link a project to a billing account, but they should not be able to make any other changes to projects. What should you do?
To ensure that only the finance team can link projects to the billing account without making other changes to projects, you should assign the finance team both the Billing Account User role on the billing account and the Project Billing Manager role on the organization. The Billing Account User role allows them to link projects to the billing account, and the Project Billing Manager role permits managing billing associations without granting additional permissions to modify project resources. This approach meets the requirement of restricted access while enabling necessary billing configurations.
Option A is correct, as we don't want the engineering team to link projects to billing account and want only the Finance team. Billing Account User role will help to link projects to the billing account...
Option A makes the most sense since Billing Account User can link projects to the billing account and the question reinforces principle of least privilege. Source: https://cloud.google.com/billing/docs/how-to/billing-access
Yes, but in combination with Project Billing Manager. Also these two roles won't grant rights on any other resources, which is also intended in the question.
Billing Account User also enables the user to make changes in resources.
I would also go with A. I would think they are trying to get a quick answer from you as "Billing Administrator": engineering team already has the project creator role; you just would want finance team to link (and only) link projects to billing accounts, nothing else. Maybe the key phrase here is "but they should not be able to make any other changes to projects" and that would include the action of unlinking projects.
Billing Account User Role when granted in combination with the Project Billing Manager role, the two roles allow a user to link and unlink projects on the billing account on which the Billing Account User role is granted
for me is C: https://cloud.google.com/billing/docs/how-to/modify-project#permissions_required_for_this_task_2 "Roles with adequate permissions to perform this task: * Project Owner or Project Billing Manager on the project, AND Billing Account Administrator or Billing Account User for the target Cloud Billing account."
The question states that the finance group should not be able to make changes to existing projects. Granting the finance team organizational level Billing Account Administrator will allow them to make changes to other projects. C cannot be correct.
Project Billing Manager does not allow to make any changes to projects. It's just about linking+unlinking projects to billing accounts On the other hand, the single role "billing account user" does not grant any right to view projects. Even less likely to link them to any billing account. (see https://cloud.google.com/iam/docs/job-functions/billing "The Billing Account User role gives the service account the permissions to enable billing (associate projects with the organization's billing account for all projects in the organization) and thereby permit the service account to enable APIs that require billing to be enabled."). Thus A is not the correct answer. The right answer is C, without any kind of doubt
Are you blind ? you posted link where its clearly stated in billing account user description: (associate projects with the organization's billing account for all projects in the organization) So you literarly posted link with clarification that answer A is correct. answer C will give finance team additional permission to unlink billing account from projects and question clearly states that finance team should not be able to make any other changes to projects so C without any kind of doubt is wrong.
Billing Account User Principal: Service account that is used for automating project creation. It is for service account, so C is correct
"Project Billing Manager does not allow to make any changes to projects. It's just about linking+unlinking projects to billing accounts" Correct, but the problem states "... You do not want the engineering team to be able to link projects to the billing account." So in that case, wouldn't it be option A?
We are assigning the finance team the Billing Account User role on the billing account, which allows them to create new projects linked to the billing account on which the role is granted. We are also assigning them the Project Billing Manager role on the organization (trickles down to the project as well) which lets them attach the project to the billing account, but does not grant any rights over resources.
As per the below, C is the correct answer: https://cloud.google.com/billing/docs/how-to/billing-access#overview-of-cloud-billing-roles-in-cloud-iam
I tried asking Bard from google and I got this: Billing Account User: This role grants basic read-only access to billing information for a specific billing account. This ensures the finance team can see costs associated with projects but not modify any project details. Project Billing Manager: This role allows linking projects to a billing account and managing billing settings for those projects. However, it doesn't grant broader project editing permissions like creating, deleting, or modifying resources within the project. I think I'll go with option C
C is correct
https://cloud.google.com/billing/docs/how-to/billing-access Billing Account User (roles/billing.user) This role has very restricted permissions, so you can grant it broadly. When granted in combination with Project Creator, the two roles allow a user to create new projects linked to the billing account on which the Billing Account User role is granted. Or, when granted in combination with the Project Billing Manager role, the two roles allow a user to link and unlink projects on the billing account on which the Billing Account User role is granted.
A is correct because the questions tricks you with the engineering team input, it doesn't need to perform anything on the engineering team
C is correct as the finance team need roles/billing.projectManager to allow them to manage the billing for the project without granting them resource access. D is incorrect because the finance team need to have Project Creator role or similar role to have resource access before use roles/billing.user to link project to billing account Document: https://cloud.google.com/billing/docs/how-to/billing-access#overview-of-cloud-billing-roles-in-cloud-iam
Option A is enough, https://cloud.google.com/billing/docs/how-to/billing-access
C is definitely the right answer here. "Cloud Billing Account User when granted in combination with the Project Billing Manager role, the two roles allow a user to link and unlink projects on the billing account on which the Billing Account User role is granted." Source: https://cloud.google.com/billing/docs/how-to/billing-access
Yeah, with those roles the user is able to "link and unlink projects", but we are asked to give the financial team access to link only ONE project to a billing account (pay attention that doesn't say unlink, so it's not necessary) if you read the permissions of the billing account user in the link that you sent, you will see that this role can link a project to a billing account, that is just what we were asked to, so option A is correct.
Option C is not correct because the Project Billing Manager role would give the finance team permissions to manage billing on projects, which is more access than you want to provide. The Billing Account User role is sufficient for the finance team to link projects to the billing account
Option C As stated in docs - >§https://cloud.google.com/billing/docs/access-control#tbl_perm projects.updateBillingInfo - > Billing Account Administrator or Billing Account User, AND Project Billing Manager
Answer is A. 100%. They are asking for Finance to ONLY be able to link projects to billing (not unlink, etc.). This role has the billing.resourceAssociations.create permission Per documentation for Billing Account User: "When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts." https://cloud.google.com/billing/docs/access-control#billing.user
*Answer is C. 100%
Negative, GhostRider. A has insufficient permissions. The Billing Account User role alone doesn't provide the ability to manage the billing association of projects within the organization.
To achieve the desired level of access control, where only the finance team can link projects to the billing account while preventing them from making other changes to projects, you should follow these steps: C Explanation: Assigning the finance team the Billing Account User role on the billing account allows them to link projects to the billing account, which is necessary for managing billing. Assigning the Project Billing Manager role on the organization to the finance team allows them to manage billing for projects within the organization without granting them additional permissions to modify projects themselves. This approach ensures that the finance team has the necessary permissions to manage billing-related tasks while restricting their access to project management functionalities, such as creating or deleting projects, which are typically associated with the Project Creator role.
When granted in combination with the Billing Account User role, the Project Billing Manager role allows a user to attach the project to the billing account, but does not grant any rights over resources.
C is not good because in this link https://cloud.google.com/billing/docs/how-to/billing-access, the role Project Billing Manager allows "Link/unlink the project to/from a billing account". Unlink is not good in this situation.
The Billing Account User role in GCP allows a user to view and manage billing accounts, but does not grant permissions to associate projects with billing accounts. The Project Billing Manager role is more focused on associating GCP projects with billing accounts.